Cisco MDS Port-Security with Auto-Learning

3 February 2015 | Written by Nicolas Michel | Published in Data Center

I have been learning about Cisco MDS port-security recently and I have been struggling with this feature because it was different from what I expected. What I was expecting was something very similar (and easy) like the good old Ethernet Port-Security feature.

This is clearly not the case and I will show you how to configure a basic port-security using auto learning. You still can manually configure entries on the MDS but I wanted to check how to feature was interacting with CFS and how it was implemented.

We will use the same topology as the one we used previously:

VSAN 10 is the only VSAN created in the topology for clarity’s sake.

As every feature in NX-OS, there is a need to activate the feature on both MDS:

1

2

3

MDS-01(config)# feature port-security

MDS-02(config)# feature port-security

Since we want to play with the feature auto learning and CFS distribution , we need to enable it since it is not enabled by default.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

MDS-01(config)# show port-security status

Fabric Distribution Disabled

VSAN1:No Active database,learning isdisabled,No Session

VSAN10:No Active database,learning isdisabled,No Session

MDS-02(config)# show port-security status

Fabric Distribution Disabled

VSAN1:No Active database,learning isdisabled,No Session

VSAN10:No Active database,learning isdisabled,No Session

MDS-01(config)# port-security distribute

MDS-01(config)# show port-security status

Fabric Distribution Enabled

VSAN1:No Active database,learning isdisabled,No Session

VSAN10:No Active database,learning isdisabled,No Session

MDS-02(config)# show port-security status

Fabric Distribution Disabled

VSAN1:No Active database,learning isdisabled,No Session

VSAN10:No Active database,learning isdisabled,No Session

As we can see above, if you enable the distribution of the port-security feature, this will not replicate to other switches in the fabric. Here the behavior is different than what we can experience when activating enhanced zoning within a storage fabric.

We do have to activate it on the other switches as well.

1

2

3

4

5

MDS-02(config)# port-security distribute

MDS-02(config)# show port-security status

Fabric Distribution Enabled

VSAN1:No Active database,learning isdisabled,No Session

VSAN10:No Active database,learning isdisabled,No Session

As soon as it is done we now need to learn some WWN into the fabric. As soon as you activate port-security for a particular VSAN, auto-learning is automagically (type made on purpose and copyrighted by Vik Malhi 🙂 ) started as well.

1

2

3

4

5

MDS-01(config)# port-security activate vsan 10

MDS-01(config)# show port-security status

Fabric Distribution Enabled

VSAN1:No Active database,learning isdisabled,No Session

VSAN10:No Active database,learning isdisabled,Session Lock Taken

The output above shows us that the fabric has been locked for this particular VSAN and application.

In order to remove the lock and spread the configuration into the fabric, we need to commit the changes we’ve done here:

So, learning is enabled and a database has been activated as well. Same analogy as zoning here, there is a config database and active database. The active database has been replicated to the other switches but not the config database … Sounds like basic zoning right ? but the problem here is that the config database has NOT been replicated on MDS01 where we typed the configuration. So we need to replicate that active database to the config database on both MDS.